The right not to be subject to automated decision-making under the General Data Protection Regulation: Standard permission or default prohibition?

Abstract

The right not to be subject to automated decision-making which has a legal or similar effect was originally taken up in the 1995 Privacy Directive and is thus not a new right in the General Data Protection Regulation (GDPR). The 1995 Privacy Directive left room for interpretation of its rights and obligations, of which the EU member states have made use. Some member states have interpreted the right as a ban on automated decision-making, while other member states allow automated decisions to which the data subject can object. The GDPR is a regulation, and therefore requires all EU member states to apply its rights and obligations in a uniform way. Therefore, a re-evaluation of current implementations of the right is necessary. This paper calls on the European legislators to take a clear standpoint. It also argues that the right not to be subject to automated decision-making should be interpreted as the default prohibition of automated decisions. This offers the most legal certainty to both companies and the individuals subject to said decisions. This interpretation is derived from the wording in the GDPR, the scope of the right to object to processing of personal data, and the spirit of the law.